Data Protection Policy
Whitehelm consists of the following companies; Whitehelm Capital Pty Ltd (ACN 008 636 717), Australian Financial Services Licence 244434; and Whitehelm Capital Limited, authorised and regulated by the Financial Conduct Authority (FCA) FRN 599417, Registered No 06035691, Registered Office: 5th Floor, 17 St Swithins Lane, London, EC4N 8AL (together, ‘Whitehelm’ or the ‘Firm’).
Whitehelm is required to, and this policy does, comply with the Privacy Act 1988 (‘Privacy Act’), the Australian Privacy Principles (‘APPs’) and Regulation (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulations or “GDPR”) (together the ‘Regulations’).
Whitehelm’s supervisory authority with respect to the Regulations is the Information Commissioners Office (“ICO”) in the UK and the Australian Information Commission (“OAIC”) in Australia. In addition, the Financial Conduct Authority has indicated that firms should ensure compliance with GDPR as part of their obligations under the FCA Handbook.
The scope of the GDPR is not limited to the European Economic Area (EEA) and extends to data subjects of the Firm wherever in the world they are located.
This document constitutes Whitehelm’s data protection policy (the “Policy”). It sets out the obligations of the Firm regarding data protection and the rights of data subjects in respect of their personal data. More specifically, the Policy sets out Whitehelm’s obligations regarding the collection, processing, transfer, storage and disposal of personal data. The procedures set out in this Policy must be followed at all times by the Firm, its employees, agents, contractors or other parties working on behalf of the Firm.
Whitehelm places high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
Processing Personal Data
The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person” (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” of personal data includes any operation or set of operations which is performed on personal data including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Whitehelm collects and processes personal data directly from data subjects and also personal data obtained from third parties.
For the purpose of GDPR the Firm has determined that it is a ‘data controller’ and a ‘data processor’ with respect to certain personal data. Under GDPR:
- a “controller” is any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- a “processor” is any natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.
Due to the nature of its business Whitehelm processes only a limited amount of personal data, therefore the Firm has determined that it does not require a statutory Data Protection Officer. However, the Firm’s
Board and Senior Management, including the Chief Operations Officer (“COO”) shall be responsible for overseeing implementation and monitoring compliance with this Policy and with the GDPR.
THE DATA PROTECTION PRINCIPLES FOR PROCESSING
The GDPR set out seven principles (the “Principles”) with which any party handling personal data must comply:
- Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Personal data must be collected for a specified, explicit and legitimate purpose and should not be processed for any other purpose that is incompatible with that specified purpose.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed and for the purposes of which data subjects have been (or will be) informed.
Personal data must be accurate and, where necessary, kept up to date.
Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the processing purpose(s).
- Integrity and Confidentiality
Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is responsible for compliance with the Principles and should be able to demonstrate that processing activities are compliant with the Principles.
Whitehelm demonstrates its compliance with the Principles in the following ways:
- Maintaining internal policies and procedures to address the appropriate handling of personal data. All Firm policies are regularly reviewed by senior management.
- Annual staff training to ensure those that handle personal data are aware of and agree to comply with the Principles.
- Maintaining a log of personal information held at the firm and the legal basis for handling such data.
LAWFUL BASIS FOR PROCESSING
The Firm, where it is a controller, is required to have a lawful basis for each processing purpose unless it can rely on an exemption.
There are six lawful bases:
||The data subject has given valid consent to the processing of their personal data for one or more specific purposes.
||The processing is necessary for entering into or the performance of a contract to which the data subject is a party.
|Compliance with Legal Obligations
||The processing is necessary for compliance with a legal obligation to which the data controller is subject, including but not limited to regulatory, tax or anti-money laundering obligations.
||The processing is necessary to protect the vital interests of the data subject or of another natural person when the processing cannot be manifestly based on another lawful basis.
||The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
||The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data.
TYPES OF PERSONAL DATA COLLECTED, HELD AND PROCESSED
Whitehelm may collect personal information directly from data subjects or from a third party that such data subject has authorised to provide the relevant information. Whitehelm collects personal information including but not limited to; name, job title, company name, address, telephone number (landline and mobile) and email address.
When accessing the Whitehelm website, the Firm’s Internet Service Provider makes a record of each visit and produces statistical information, which Whitehelm may monitor. The information is not of a personal nature and is recorded and used in order to continually improve the Firm’s website and ascertain areas of public interest.
Personal data collected by Whitehelm is used primarily for the delivery and development of Whitehelm’s products and services. Primary uses include:
- transactions – products and services
- account keeping – contact details and methods of payment for these services; and
- enquiries – details used to respond to enquiries regarding Whitehelm’s products and services.
The Firm complies with the Principles at all times when handling and processing personal data.
Disclosure of Personal Data
Whitehelm does not:
- sell contact lists or usage information to any third party; or
- report usage or user information to any third party.
Whitehelm does not accept any advertising on its website and therefore has no information reporting requirements to any third party. Personal information will only be disclosed for the purposes for which it was collected.
Given legal requirements on financial institutions to identify their customers, in most situations Whitehelm is unable to allow transactions on the basis of anonymity (including the use of a pseudonym).
TYPES OF DATA SUBJECT
Whitehelm has identified that is has the following types of data subject:
- Employees, directors, officers, contractors
- Clients (potential and actual)
- Representatives of investee companies
- Professional service providers (eg. external Directors, advisers)
THE RIGHTS OF DATA SUBJECT
The GDPR sets out the following rights applicable to data subjects:
THE RIGHT TO BE INFORMED
Where information is obtained directly from a data subject, upon request the Firm shall provide the data subject with information on the purpose for which their personal data is being collected and the legal basis for processing such data.
This Policy provides data subjects with detail on their rights under the Regulations.
THE RIGHT OF ACCESS
Data subjects may request access to the personal data that the Firm holds on them at any time to allow them to be aware of and verify the lawfulness of the processing of their personal data.
Whitehelm shall aim to respond to access requests within one month of receipt; however this may be extended by up to two months if the request is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed. All requests received shall be handled by the Firm’s COO.
THE RIGHT TO RECTIFICATION
Data subjects have the right to require the Firm to rectify any of their personal data that is inaccurate or incomplete. The Firm shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Firm of the issue.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.
THE RIGHT TO ERASURE (AKA THE “RIGHT TO BE FORGOTTEN”)
Data subjects have the right to request that the Firm erases the personal data it holds about them. Unless the Firm has reasonable grounds to refuse to erase personal data, such as the exercise or defence of legal claims or compliance with a regulatory or other legal obligation all requests for erasure shall be complied with, and the data subject informed of the erasure.
In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or unreasonable to do so).
THE RIGHT TO RESTRICT PROCESSING
If data subjects are not able to enforce the right to erasure, they may have a right to block the processing of personal data by the Firm. If a data subject requests a restriction, Whitehelm will only process data, with the exception of storage, with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. Whitehelm will retain only the amount of personal data related to the data subject that is necessary to ensure that the personal data under restriction is not processed further.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or unreasonable to do so).
THE RIGHT TO DATA PORTABILITY
Data subjects have the right to request and receive a copy of their personal data from the Firm in a machine-readable format, and to transfer it from the Firm to another controller for their own purposes.
THE RIGHT TO OBJECT
Data subjects have the right to object to processing of their personal data by Whitehelm if the lawful basis relied upon is the legitimate interests of the Firm. Where a data subject objects to Whitehelm processing their personal data based on its legitimate interests, Whitehelm shall cease such processing immediately, unless it can be demonstrated that the Firm’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
DATA SUBJECTS REQUESTS
Any requests received by an employee, contractor or agent of the Firm from a data subject shall be forwarded to the COO without delay.
Appointment of Third Party Processors
Whitehelm sometimes utilises the services of third party service providers who act as processors with respect to personal data collected by the Firm.
Whitehelm ensures that it only engages service providers who guarantee compliance with the GDPR and monitors its third-party processors on an on-going basis.
Where Whitehelm assesses that it is a joint controller of personal data it ensures that there is a clear apportionment of compliance responsibilities between the Firm and the other controller.
Cross Border Transfers
Whitehelm is a global firm, therefore personal data is regularly transferred in and out of the EEA via the firm’s IT systems in the ordinary course of business.
A Data Transfer Agreement is in place between Whitehelm Capital Pty Ltd, registered in Australia, and Whitehelm Capital Ltd, registered in England & Wales, to confirm that cross border data transfers are compliant with the GDPR regulations.
The Firm, either as a controller or a processor, shall keep written internal records of all personal data collection, holding, and processing.
Personal Data Security
Personal data is stored in accordance with Whitehelm’s Record Keeping Policy.
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it shall be securely deleted and disposed of.
The Firm ensures that appropriate security measures are taken with respect to IT and information security in accordance with Whitehelm’s Cyber Security Statement.
Whitehelm shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
- only employees, agents, sub-contractors, or other parties working on behalf of the Firm that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Firm;
- those handling personal data will be appropriately trained to do so;
- those handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise; and
- methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed.
Whitehelm has an obligation to monitor the effectiveness of its data protection arrangements and to demonstrate compliance with this Policy. This obligation has been incorporated into the Firm’s general compliance monitoring process.
RESPONSIBILITY FOR PERSONAL DATA MONITORING
Monitoring is performed by Whitehelm’s COO with on-going review and oversight from the compliance function.
In the event that the Whitehelm’s monitoring procedures identify any deficiencies in the Firm’s Policy, the issue identified shall be promptly escalated to senior management with sufficient detail and any proposed corrective action to be taken, including any proposed changes to this Policy.
Data Breaches – Notification and Sanctions
All data breaches must be reported immediately to the Firm’s COO. Whitehelm maintains a comprehensive Data Breach Response Plan outlining steps to be taken in the event of a breach.
Further enquiries or feedback about Whitehelm’s Data Protection Policy can be directed to: DataProtection@WhitehelmCapital.com.